6 Tips For Securing Social Media In The Workplace

Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.

The use of social networking, for most people, has become a daily habit or addiction. Initially people used social media primarily outside the workplace to connect with close friends, family and employment opportunities. Today, social media is as pervasive inside the workplace as out and people are tweeting, linking, and connecting -- on company assets, bandwidth, and time.

(Image: Flickr)

For the corporate security team, this has opened the door to a wide range of vexing issues from heavy users (like me!) who will access Facebook and Twitter on their mobile devices, regardless of policy. But rather than continually fight the trend, I recommend that organizations resign themselves to the fact that employees are going to use social media at work. The solution is to make sure people use social media appropriately and securely. Here are six tips to make that happen.

Establish a social media policy and implement training. In every company I’ve worked for, we had a social media policy. The following link on social media governance provides examples of policies that are being used by large companies across most industry verticals. Additionally, in the onboarding process for new employees and contractors, companies should provide the social media policy and have them sign off that they have read it and understand the policy. I would also recommend quarterly training for organizations’ public-facing employees who represent the company in outbound communications.

Promote the use of strong passwords. This should be the first thing covered in policy. Passwords should be complex and employees should be reminded that those used for social media should not be the same as their corporate login. I highlight this point because I’ve seen many compromises where the adversary was able to access multiple accounts because individuals used the same passwords for all.

Utilize infrastructure security controls such as application control and encryption. There are network security products that have the ability to provide application control of Facebook and Twitter. These controls can range from allowing users to have “read-only” access to things such as Facebook posts and tweets to full access that would allow posting, uploading video and images. Although this type of control is good, it does not work so well when Facebook and Twitter use SSL by default. If your organization doesn’t have a way to decrypt Facebook and Twitter, it is not going to be able to use the application control feature. It’s important to find a network security solution, such as a next-generation firewall or dedicated SSL appliance, that has the ability to decrypt SSL traffic and scale based on your organization's network performance requirements.

Choose Web browsers with high malware block rates. Web browsers are most often the first line of defense for protection against malware. There are large differences among the leading browsers in their ability to block it. In 2013 NSS Labs Web browser tests, Internet Explorer 10 had the highest malware block rate at 99.96 percent, followed by Google Chrome at 83.16%. Apple Safari 5, Mozilla Firefox 19, and Opera 12 all lagged behind with block rates around 10% or less.

Location-based social media can reveal unintended information. Caution employees about checking into customer or vendor sites on apps such as Facebook or Foursquare, which can reveal competitive information or even merger and acquisition plans.

Be careful of posting on LinkedIn. Train employees to refrain from posts that include information about their job duties, since the posts could shed a light on the sensitive projects they are working on. Additionally, if the company is involved in a merger or acquisition, executives shouldn’t accept LinkedIn requests from the company and direct peers they are visiting.

While some of these best practices may seem like "no brainers,” it’s important to remind employees of them because, let’s face it, we all forget and become lax at times. It’s also important to help employees understand that while we can control what we post, we can’t always control what other people will do with the information, images, and links we share.

If companies lay out simple best practices for employees, they can save the organization from becoming a statistic. The best example I can leave you with is a reminder of the financial damage that can be done to financial markets in 140 characters or less. In 2013, the Syrian Electronic Army caused the Dow Jones Industrial Average to drop based on one tweet they posted through a compromised CNN Twitter account.

Empower employees by training them to be aware and secure, and in how to avoid becoming a statistic.

John Pirc is a noted security intelligence and cybercrime expert, an author, and a renowned speaker, with more than 15 years of experience across all areas of security. The co-author of two books, <i>Blackhatonomics: An Inside Look at the Economics of ... View Full Bio

It's necessary to use Social media websites and Gmail securely on work .The most important thing that can be done is frequently change your passwords and use of secure browsers can help you to protect your data .

The point about LinkedIn I think was just brought home by the situation with the Iranian hackers. It is important for organizations, particularly defense and financial organizations, not to underestimate how much social networking sites can be used for the purposes of recon for attackers.

I do think that today most employees today are aware of the risks from social media in the workplace (and at home) but it's easy to fall into bad practices. Technology solutionsn like usingWeb browsers with high malware block rates seem to me like a no brainer from the IT side. And putting the onus on employees to avoid location-based social media on their corporate mobile devices doesn't seem to onerous. LinkedIn, on the other hand, would require more of an effort in user education.

Thank you Shawn. This point was tied to an actual use case. The amount of data you can mine within LinkedIn isn't only tied to M&A but also employee moral. When I typically get request to provide recommendations, usually shortly after I gave the recommendation they left their job for another opportunity. Again, I appreciate your commnets.

It's so easy to say but much harder to do. You have to put time aside for this. That is the toughest part. Real world examples would help. Many that post things about the company don't even realize it, and unless you show them hard examples, they may not get it.

Some kind of interactive piece would also help... Even if that is just asking questions, Get them involved somehow.

Finding the happy medium of training that is not too technical or too long -- yet still is effective -- sounds like a pretty tall order. Does anybody want to share their best practices (or lessons learned)?

Training to backup the company policy is a must. You can put all you want in the policy, people just are not going to read it. You could say that it's their problem if they don't read it but it can make major headaches for IT staff if they do something they shouldn't. Training and talking about it helps alot. Keep the training short and to the point, don't get to technical and you can make your job easier.

If you think that bad news travels 10x as fast as good, then perhaps a good social media policy is minimalistic? I agree that companies need a "firm but fair" policy for social media, and to educate on the downside. I have seen corporate policies that attempt to limit access to certain sites using third party taxonomy, but I am not sure this works as a moral quotient. In the end it comes down to exercising good judgement through emotional intelligence. Thanks for a great article.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.